Alrighty then , ladies and gentlemen , welcome back to another episode of Privacy , please . I'm Cameron Ivey , alongside Gabe Gumbs . How you doing , gabe , how we doing .
Speaker 2I am good , I'm good , we are dead . In the middle of it . It's a couple of weeks before Black Hat and DEF CON , gearing up for that summer festival . Yeah , hacker Summer Camp , hacker Summer Camp when's that ? Again , that's coming up um august , august . So black , uh , defcon's august 7th starts at august 7th , but there's a bunch of things going on , right . So you've got b-sides which starts the weekend prior , right , black hat , which I think , kicks off on the 5th . I could be wrong about Black Hat , I don't remember , but DEF CON starts on the 7th .
Speaker 1I was pretty excited and I haven't been . I don't think I've been to Black Hat one time , but I haven't been to any of those in a couple years now .
Speaker 2Yeah , something about not going to the desert in the middle of summer . That's okay with me quite frequently , it's okay . It's okay . It's okay to miss one once in a while , Although it's a great time . It's an awesome time . I'm always good to catch up with friends and , you know , make some new ones in the security community . It's always some amazing talks on display . It's always a good time . No complaints , except for the weather . The weather be . The complaint . 120 night is . We're not built for that as humans , quite frankly .
Speaker 1No , that sounds super uncomfortable .
Speaker 2Yes .
Speaker 1I was driving the other day I saw this guy on a scooter with like a black sweater hood , on jeans , walking in the middle of the day almost 100 degrees . I'm just like I don't how , why , what are you ? What's ?
Speaker 2happening Across the street . Man Across the street Sounds like a Luigi's scenario , like I wouldn't be worried unless I'm the CEO of a large healthcare company , is it ? I don't know , we may have just lost a couple of subscribers on that one .
Speaker 1No , no , we got this . So , gabe , I'm going to paint a picture for you and for , obviously , the audience , on what we're going to go into talking about today . So imagine you're in charge of defending a fortress . For years , you focused on strengthening the walls , locking the gates and watching the perimeter . Then , one day , a stunning order comes down from the top . Stop worrying about the walls . Assume the enemy is already inside with you . It's pretty powerful . Yeah , there was a stark you pulled me into this about a stark warning that the issue to all US forces to operate under the assumption that their networks have been compromised . Let's dig into this .
Speaker 2So one of the more interesting things about that statement , of course , is and we've talked about it , I think , on this show more than a few times operating under the assumption of compromise . In fact , right before this , right before we hit the record button , we were talking about the last time I
gave a public talk , and it literally just reminds me the title of that talk was the bust out the old deck , and maybe we'll link it to this episode , but it was around the very notion of how we adopt the NIS zero trust principles , because the NIS zero trust principles literally begin with the assumption of compromise , and so , in one breath , they're not saying anything that you shouldn't be doing or they shouldn't have already been doing from an operational standpoint , but what they're actually saying here is no , no , no , no , no . This is not a drill . This is not a drill . Assume that this network is freaking compromised that's a big deal .
Speaker 1And what were your first thoughts , besides just saying , oh shit , like what , like this is a big deal .
Speaker 2You can't shut the barn doors is the first thing that came to mind . Like I do not know if you can uncompromise a network . The thing with the assumption of compromise is you should assume that you also can't uncompromise the network . So in one breath it will certainly accelerate the adoption of zero trust within critical infrastructure . So that's a positive . But the thing that worries me there , of course , is well , the networks should just be considered actually compromised .
Speaker 1Right , okay , so
real quickly . Most of our listeners should probably know this , but let's just play the fun role of Gabe . What is zero trust and why is it the recommended solution that it's going to fall into ?
Speaker 2It's a framework . So , first and foremost , it is not something that is purely tangible . It is not any one singular product . So if anyone told you they have a zero trust that you can buy , be wary . We warned you , we warned you , we warned you . It is a framework under which one of the first , not one of , but the first tenant of zero trust is that network should be treated as though they already compromised . And when you do so , it means that you need to do things like validate access upon every request . So not just grant access and then allow access to always be given upon every request for an asset , revalidate access . That's just one of the many things that zero trust encompasses . It is a NIST framework , it is published by NIST I don't remember the number , unfortunately . I guess I'm not that big of a zero trust geek .
Speaker 1Hey that's all right , that's all right , you don't know everything .
Speaker 2I could probably quickly look it up but it is a framework , and so a lot of vendors selling different security solutions will kind of operate under this banner that their technology will assist you in doing so . That is a good thing . Quite frankly , it's difficult to achieve zero trust without some help in some of those environments . But again , the warning be there is no silver bullet for zero trust . And it is not just technology , it is also protocols and procedures . Right , there's quite a bit more to it .
Speaker 1Can you humor me a little bit on this ? The sophistication and patience of Salt Typhoon . What exactly is that ?
Speaker 2Salt Typhoon is a threat actor believed to be tied to the Chinese government . That is , the threat actor believed responsible behind this breach of the network .
Speaker 1Well , they're a well-sourced cyber espionage group with links to the Chinese state . Yeah , their ability to remain in a network for almost a year without detection points to a high level of sophistication and patience .
Speaker 2Hence the reason I don't know that one can ever trust that network ever again . A year is a long time to bury yourself in .
Speaker 1Yeah , I mean . Obviously the biggest worry is their focus on stealing data that can be used for future , potentially more damaging
attacks on critical national infrastructure . Yeah , yeah , it's not good .
Speaker 2No , it's not good . It's not good , it's not good at all Not good .
Speaker 1So what's being done ? What do you know that's being done so far ? What do you think the this warning ?
Speaker 2being issued . I don't know of anything being done . Well , like , who would handle this ? Do you think the this warning being issued ? I don't know of anything being that well , like , who , like , who would handle this , you think ? Like ? That's also a great question , you know . I'm honestly not certain I know the answer to that , but we've got some foods in the intelligence community . We should probably snag on the show to talk about that . Um , I don't know who picks up the ball from there . Really , I could I could throw out all kinds of wild guesses , but they , they might just be that are wild guesses . Yeah , I don't actually know . I know this much , though , that we should all certainly heed that warning and operate under the same tenets though , yeah , which I guess is just a long-winded way of saying hello , everybody , wake up Please . If you haven't already started adopting zero trust , do so . Do so now . Everyone should adopt ?
Speaker 1Yeah , because to that point there's broader implications that go beyond national security and privacy . So beyond military networks , salt typhoon . Also targeted telecommunication yeah , just like at&t , verizon all compromised record like basically been accused of at&t and verizon was accused of recording private conversations of senior US political figures . There you go they . Targeted critical infrastructure like energy and transportation highlights the potential of widespread , so probably stuff like Uber , I would imagine .
Yeah .
Speaker 1And Lyft and all those type of . There's so much information on that , so this is really big and it's it's saying that this is also a pattern , gabe , this is not just a one off of that .
Speaker 2No , not at all , and it will continue to be .
Speaker 1You know , cyber warfare is the new warfare . Yes , conventional warfare still exists , but it is the new war , yeah . So yeah , this is super interesting , but maybe we'll dig into this a little bit later . If anybody has any questions or knows more about this stuff , we'd love to have you on or just shoot us a message . But yeah , we'll see you guys next week . Gabe , thanks for the chat Right on , right on Next week . It is Sounds good . See you guys .